2012-07-14, 04:15 AM
2012-07-14, 05:26 AM
* Leefish settles down with her popcorn.
2012-07-14, 09:52 AM
If it is an sql injection, you'll find http requests with SQL commands in the http server (apache?) logs.
2012-07-14, 10:58 AM
On what grounds you make accuses or state it? Firstly, you didn't even provided how it was done or yourself are not sure and though saying it was an injection.
I very much doubt what pavemen said, it's possibly a bad forum configuration/permissions to uncheck who can see the forum. Moreover you said, no one even logged ACP.
I very much doubt what pavemen said, it's possibly a bad forum configuration/permissions to uncheck who can see the forum. Moreover you said, no one even logged ACP.
2012-07-14, 08:54 PM
If you are using MyTabs it has a sql injection in there.
2012-07-14, 10:08 PM
(2012-07-14, 08:54 PM)Justice Wrote: [ -> ]If you are using MyTabs it has a sql injection in there.
It had an SQLi vulnerability in there. It was fixed last year.
2012-07-15, 07:27 AM
(2012-07-14, 03:39 AM)Nathan Malcolm Wrote: [ -> ]When vulnerabilities are made public we patch them within days, if not hours. There are no known vulnerabilities in the latest version of MyBB.No known vulnerabilities?
We're not covering anything up, we have no reason to.
http://packetstormsecurity.org/files/113...68-sql.txt
http://seclists.org/bugtraq/2012/Jun/133
2012-07-15, 07:33 AM
(2012-07-15, 07:27 AM)yes123 Wrote: [ -> ](2012-07-14, 03:39 AM)Nathan Malcolm Wrote: [ -> ]When vulnerabilities are made public we patch them within days, if not hours. There are no known vulnerabilities in the latest version of MyBB.No known vulnerabilities?
We're not covering anything up, we have no reason to.
http://packetstormsecurity.org/files/113...68-sql.txt
http://seclists.org/bugtraq/2012/Jun/133
Both were incorrectly reported as MyBB vulnerabilities. Those vulnerabilities are within plugins.
http://community.mybb.com/member.php?action=profile&uid=1'
http://community.mybb.com/announcements.php?aid=7'
As I previously stated, there are no known vulnerabilities in the latest version of MyBB.
2012-07-21, 06:16 PM
Any idea what plugin?
2012-07-21, 07:05 PM
(2012-07-21, 06:16 PM)Snickers Wrote: [ -> ]Any idea what plugin?
there is allot of plugins out there that might be have vulnerability's
i recommend you download your plugins from here : http://mods.mybb.com/mods
and perform a scan before and after installing the plugin and check if
there is a different in the results , anyway lets not go off-topic
OP please provide a proof that the sqli vulnerability was in the mybb script not in one
of your plugins
regards
illusion